CN109743187A - Industry control network method for detecting abnormality and device - Google Patents
Industry control network method for detecting abnormality and device Download PDFInfo
- Publication number
- CN109743187A CN109743187A CN201811404708.8A CN201811404708A CN109743187A CN 109743187 A CN109743187 A CN 109743187A CN 201811404708 A CN201811404708 A CN 201811404708A CN 109743187 A CN109743187 A CN 109743187A
- Authority
- CN
- China
- Prior art keywords
- baseline
- sequence
- data frame
- industry control
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 124
- 230000005856 abnormality Effects 0.000 title claims abstract description 47
- 238000004458 analytical method Methods 0.000 claims abstract description 57
- 230000002159 abnormal effect Effects 0.000 claims abstract description 36
- 230000002045 lasting effect Effects 0.000 claims abstract description 9
- 238000004590 computer program Methods 0.000 claims description 5
- 230000001052 transient effect Effects 0.000 claims description 2
- 238000001514 detection method Methods 0.000 abstract description 20
- 238000012790 confirmation Methods 0.000 abstract description 6
- 230000008569 process Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 10
- 230000004044 response Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 238000012300 Sequence Analysis Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000005065 mining Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000012806 monitoring device Methods 0.000 description 3
- 238000007418 data mining Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 206010044565 Tremor Diseases 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
It includes: to automatically generate the security baseline in a certain period of time, and alert to abnormal data frame or sequence of data frames based on unsupervised formula baseline learning method that the embodiment of the present invention, which provides a kind of industry control network method for detecting abnormality and device, method,;When generating security baseline within the new time cycle, the variation tendency of the history security baseline sequence in preset time period is analyzed, potential security threat is predicted and alerted according to trend analysis result.The present embodiment realizes the abnormality detection to industry control network, it carries out manually adjusting confirmation again without having previously been based on after supervised study generates network security baseline, but according to the network flow of lasting acquisition, automatic generating network security baseline, pass through analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from the potential threat of normal value, the present embodiment the method reduces the operation complexity for generating industry control security baseline, improves the stability of security baseline.
Description
Technical field
The present embodiments relate to industrial network security technical field more particularly to a kind of industry control network method for detecting abnormality
And device.
Background technique
With the rapid development of information technology, industry control network is faced with more and more risks.
Currently, disclosing the method for detecting abnormality of some industrial control networks in the prior art.Wherein, certain methods belong to
The detection method for class of falling not can be carried out before Network Abnormal generation and effectively predict or take energetically defensive measure;One
A little methods are to detect Network Abnormal from the dimension of network speed, bandwidth and corresponding time cycle, and be not concerned with communication data in network
Content and communication details;Certain methods describe the determination method of abnormal flow from the angle of algorithm, but in protection industry control
In the application scenarios of network security, need to be arranged in advance characteristic value and regulation engine, the spy of extraction before carrying out abnormality detection
Value indicative, setting regulation engine rely on the judgment criteria of result certain experience, the application process of method is complex, needs
Parameter is debugged repeatedly, and final result is limited to the flow obtained in debugging process;Certain methods pass through capture, identification, solution
Industrial network data are analysed, and data analysis is carried out according to industrial protocol behavior and industrial behavior model library, so that it is determined that industry stream
With the presence or absence of exception in amount, this method is disadvantageous in that: the building in industrial behavior model library does not have specific standard, only
It refers to handle over time using including the intelligent methods such as association mining, sequential mining, classification and clustering algorithm
The case where agreement behavior or equipment response are gradually abnormal trend does not account for encountering in protocol depth resolving abnormal
The case where shape packet;Certain methods be by flow self study formed security baseline industry control network method for detecting abnormality (network is white
List), although there is this method very strong adaptability and flexibility to open the time of mode of learning in actual use
Length does not have a specific standard, and the flow captured during learning outcome and study has a stronger dependence, implementation process compared with
Complexity, the implementation time is also longer, and the adjustment of security baseline relies on the industry control safety experience of operator to a certain extent.It is some
Method has efficiently protection effect to the IEC60870-5-104 agreement of power domain, but has certain limitation, no
It can more industrial applications scene of the protection such as based on Modbus, S7COMM, ENIP/CIP industrial protocol.
In consideration of it, how to carry out abnormality detection industry control network as the current technical issues that need to address.
Summary of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of industry control network method for detecting abnormality and dress
It sets.
The embodiment of the present invention provides a kind of industry control network method for detecting abnormality, comprising:
Based on unsupervised formula baseline learning method, the security baseline in a certain period of time is automatically generated, and to abnormal number
It is alerted according to frame or sequence of data frames;
When generating security baseline within the new time cycle, the variation to the history security baseline sequence in preset time period
Trend is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
The embodiment of the present invention provides a kind of industry control network abnormal detector, comprising:
Generation module automatically generates the safe base in a certain period of time for being based on unsupervised formula baseline learning method
Line, and abnormal data frame or sequence of data frames are alerted;
Analysis module, when for generating security baseline within the new time cycle, to the history safety in preset time period
The variation tendency of baseline sequence is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
The embodiment of the present invention provides a kind of electronic equipment, including memory, processor and storage are on a memory and can be
The computer program run on processor, the processor are realized when executing described program such as the step of the above method.
Industry control network method for detecting abnormality and device provided in an embodiment of the present invention, by being learnt based on unsupervised formula baseline
Method automatically generates the security baseline in a certain period of time, and alerts to abnormal data frame or sequence of data frames, new
Time cycle in generate security baseline when, the variation tendency of the history security baseline sequence in preset time period is divided
Analysis, is predicted and is alerted to potential security threat according to trend analysis result, hereby it is achieved that the exception to industry control network is examined
It surveys, generates without having previously been based on supervised study and carry out manually adjusting confirmation after network security baseline again, but according to persistently obtaining
Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence by
Gradually deviate the potential threat of normal value, the present embodiment the method reduces the operation complexity for generating industry control security baseline, mentions
The high stability of security baseline.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to do simply to introduce, it should be apparent that, the accompanying drawings in the following description is the present invention
Some embodiments for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is a kind of flow diagram of industry control network method for detecting abnormality provided in an embodiment of the present invention;
Fig. 2 is the trend schematic diagram of stable data frame baseline provided in an embodiment of the present invention or sequence of data frames baseline;
Fig. 3 is the data frame or sequence of data frames base that industry control ambient condition provided in an embodiment of the present invention gradually shifts
The trend schematic diagram of line;
Fig. 4 is a kind of schematic diagram of the present embodiment the method typical case scene provided in an embodiment of the present invention
Fig. 5 is a kind of structural schematic diagram of industry control network abnormal detector provided in an embodiment of the present invention;
Fig. 6 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described.Obviously, described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Fig. 1 is a kind of flow diagram of industry control network method for detecting abnormality provided in an embodiment of the present invention, such as Fig. 1 institute
Show, the industry control network method for detecting abnormality of the present embodiment, comprising:
S1, it is based on unsupervised formula baseline learning method, automatically generates the security baseline in a certain period of time, and to exception
Data frame or sequence of data frames are alerted.
S2, within the new time cycle generate security baseline when, to the history security baseline sequence in preset time period
Variation tendency is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
Industry control network method for detecting abnormality provided in an embodiment of the present invention, by being based on unsupervised formula baseline learning method,
The security baseline in a certain period of time is automatically generated, and abnormal data frame or sequence of data frames are alerted, when new
Between when generating security baseline in the period, the variation tendency of the history security baseline sequence in preset time period is analyzed, root
Potential security threat is predicted and alerted according to trend analysis result.It is thus achieved that the abnormality detection of industry control network, nothing
It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition
Network flow, automatic generating network security baseline.By analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from
The potential threat of normal value, the present embodiment the method reduce the operation complexity for generating industry control security baseline, improve peace
The stability of full baseline.
Further, on the basis of the above embodiments, the step S1 may include the step P1- being not shown in the figure
P6:
P1, persistently capture a certain period of time in industry control flow, and to the data frame in the industry control flow captured into
Row protocol identification.
P2, judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carry out abnormality alarming.
If P3, unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, solution
The data frame type of valid data frame and the value of point is precipitated, and the value of the data frame type and point is clustered respectively
Analysis.
If the value of P4, the data frame type and point are more than or equal to default initial threshold, abnormality alarming is carried out.
It is understood that the default initial threshold can be configured according to the actual situation, the present embodiment not to its into
Row limitation.
If the value of P5, the data frame type and point are less than default initial threshold, cluster state is updated, and to legal
Data frame carries out Series Modeling and weight is arranged to each sequence of data frames.If there is sequence of data frames to violate sequence pattern,
It is alerted;If sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode.
It is understood that the expression way of series model can be used but be not limited to finite state machine (FSM), detection
The method of unusual sequences can be used but be not limited to probability analysis, model inspection technology (Model Checker) etc..In industry control
Abnormality detection field, the expression way of any sequence pattern and method based on sequence variation detection are all described in the present embodiment
In the protection scope of method.
P6, by a certain period of time, automatically obtain the security baseline in period this period, the security baseline packet
It includes: data frame type and the cluster baseline Bv (Baseline of value) for putting place value and the sequence of data frames mould with weight
Formula baseline Bs (Baseline of sequence).
It is understood that the unsupervised formula baseline learning method in the present embodiment includes the content of three aspects: Abnormal Packet
Detection, data frame cluster (type identification and the analysis of point place value), sequence of data frames model.The present embodiment the method is not limited to
Concrete implementation algorithm, any method for reaching this three aspects effect is all in the present embodiment the method protection scope.This reality
The unsupervised formula baseline learning method of example is applied compared with traditional industry control security baseline generation method, advantage is not needing " to start
Study " " completing study " " manual debugging " three phases, but security baseline at the appointed time is automatically generated in the period, it reduces
The operation complexity that method is implemented.
It is understood that this periodicity had both been embodied in a place value since industry control network has very strong periodicity
In variation, it is also embodied in the variation of sequence of data frames.Therefore, the mode based on sequence analysis is modeled, and industry computer is portrayed
The cyclophysis of network can obtain preferable effect.
It is understood that when finding Network Abnormal in current time period, such as Abnormal Packet, to deviate considerably from point poly-
When the very small sequence of data frames of the data frame of class centre distance, weight, the present embodiment the method directly carries out abnormality alarming.
Further, on the basis of the above embodiments, the step S2 may include the step Q1- being not shown in the figure
Q4:
Q1, at regular intervals period file the security baseline of acquisition.
Q2, the baseline results for filing a upper time cycle are as the baseline starting point of current time period.
Q3, it is directed to the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to data frame
The weight variation tendency of sequence is analyzed.
It is understood that the analysis of historical baseline sequence is monitored shape for finding in the present embodiment in Long time scale
State slowly there is a situation where needle position misalignment, baseline compare can using any higher dimensional space distance analysis or association mining,
The data mining algorithms such as sequence analysis, classification, cluster.
If Q4, data frame type with point place value variation tendency and sequence of data frames weight variation tendency in it is any one
A lasting variation of generation, it is determined that industry control network is stable in a short time, but is constantly in not in Long time scale
Stable state is alerted for unstable state of the industry control network in Long time scale.
Further, it is directed to the baseline starting point in the step Q3, become respectively to data frame type and point place value
Potential analysis, and after analyzing the weight variation tendency of sequence of data frames, the method can also include:
If data frame type tends towards stability with the variation tendency of point place value and the weight variation tendency of sequence of data frames,
Then determine that the state of current industry control network is stable.
It is understood that filing security baseline sequence provide data basis for its trend analysis, by analyze compared with
The security baseline generated in for a long time, judges the variation tendency of security baseline: in stable state, or persistently occurring slow
It changes.This mechanism based on the analysis of history security baseline sequence is it can be found that more hidden potential security threat.
Stable baseline trend can refer to Fig. 2, and unstable baseline trend can refer to Fig. 3.Unstable baseline trend becomes
Although change the short time in be not easy to find, the present embodiment the method by the baseline sequence trend in Long time scale into
Row analysis, it can be found that this hidden variation tendency, so as to which security threat is predicted and is alerted as soon as possible.
It should be strongly noted that during debugging industrial control equipment, the state of industry control network itself be it is unstable, therefore
The present embodiment the method can generate a large amount of wrong report during debugging.More seriously, tune-up data enters the present embodiment
After the method, the security baseline model generated based on the present embodiment the method will affect.Therefore, in the debugging industrial control equipment phase
Between, it needs to stop using the present embodiment the method.
Fig. 4 is the schematic diagram of the present embodiment the method typical case scene, and the realization of the present embodiment the method is monitoring
In equipment, the Continued communication flow of upper computer and lower computer imported into monitoring device by mirror port in industry control network.Work as presence
When malicious attacker or point are abnormal because of other reasons, the present embodiment method can carry out abnormality alarming in time.Separately below
For protecting Schneider series of PLC (programmable logic controller (PLC)) and Siemens's S7-300 series of PLC, illustrate this implementation respectively
Example the method is how to play abnormality detection effect.
Modbus agreement between Schneider host computer and PLC based on no certification is communicated.Under normal conditions, host computer
The request based on certain function code is sent, PLC carries out the response of corresponding function code.Request function code is usually: read coil, reading
Take register, read discrete input etc..PLC is directed to the request of host computer, provides the response of corresponding points place value.The present embodiment method
The alarm of following abnormal conditions can be provided:
1, there is Modbus deformity data frame, such as Modbus data frame has finally added the 61 of 200 bytes in message.
2, occur deviateing the request message of normal point or deviate the response message of normal point place value.Such as data frame will
Word Count value is changed to maximum 0xFFFF, this value carries out being the discovery that after clustering in Modbus request sequence isolated
Point.
3, occur the request of low probability, such as long-term a large amount of read request and response sequence in normal request sequence suddenly
In, occur write operation suddenly.
The present embodiment the method obtains two baselines, wherein the function code and address range of request " reading " type of message
Probability it is relatively high, the function code probability of " writing " type of message is lower, specifically, there are a large amount of Read (reading) function codes
The request and response of (function code 1, function code 2 and function code 3), occur Write (write) function code probability it is extremely low;Sequence of message
It is simple " request-response ", and function code type is corresponding.
Since Modbus protocol sequence is simple " request-response " mode, in order to illustrate the validity of Series Modeling,
This illustrates the learning effect of sequence by taking Siemens's S7COMM agreement as an example.
In communication sequence, the number of sequence and appearance that each message occurs meets periodic probability.This reality
Following types of exception will be alerted by applying the method:
1, communication sequence is violated, such as in the case where not establishing S7 connection (Setup Communication), directly
S7 request is sent to S7-300.
2, the number that type of message occurs does not meet expection, such as sends Setup to S7-300 repeatedly
Communication connection request, it may be possible to ddos attack.
3, periodic sequence segment is inconsistent, for example, Request Cyclic Data Memory type message occur when
Between be spaced it is unstable etc..
Baseline sequence shifts, and there are two kinds of situations: 1 is sent to the request message of controller;The response report of 2 controllers
Text.For example, slow gradual change occurs for the value of request setting controller or certain physical quantity of controller monitoring gradually deviates normal value.
Such case is not easy to find in a short time, but passes through the trend analysis to baseline sequence, it can be seen that the state of industry control network
The case where shifting over time with original state.
It is understood that the present embodiment the method generate base-line data type and format be not limited to Modbus and
S7COMM, any security baseline format for meeting the present embodiment the method thought all protect model in the present embodiment the method
In enclosing.
Industry control network method for detecting abnormality provided in an embodiment of the present invention, realizes the abnormality detection to industry control network, nothing
It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition
Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from
The potential threat of normal value, the present embodiment the method reduce the operation complexity for generating industry control security baseline, improve peace
The stability of full baseline.The present embodiment the method is not limited to industry control network, and the strong network of any periodicity can be applied
The present embodiment the method.
The implementation process of industry control network method for detecting abnormality provided in an embodiment of the present invention is more simple: not needing " to start
Study " " completing study " " manually adjusting " three phases, can carry out unsupervised automatic baseline building process, and in safety
It is carried out abnormality detection in baseline building process.Therefore, there is no white list learning process, the simpler convenience of implementation process.This hair
Periodicity of the industry control network method for detecting abnormality that bright embodiment provides from higher level monitoring network: the present embodiment the method
On the basis of its intelligent algorithm, trend analysis further is carried out to baseline sequence, so as to effectively find baseline in short cycle
Indetectable threat hidden danger.In other words, when the generation of the state of industry control network insignificantly " migrates ", through this embodiment
The baseline trend analysis of the method can relatively easily be found.Industry control network abnormality detection side provided in an embodiment of the present invention
Method is perspective ground prediction technique, it can be found that the minor anomaly in industry control network, so as to take defensive measure in advance, and
It is not the alarm after being fallen.The monitoring object of industry control network method for detecting abnormality provided in an embodiment of the present invention is more straight
Connect: directly monitoring industry control network data frame content and sequence of data frames, rather than by data frame it is reflected other
Attribute (such as network speed, bandwidth and corresponding time cycle etc.), therefore, it is easier to which quickly the essence of positioning Network Abnormal is former
Cause.
Fig. 5 shows a kind of structural schematic diagram of industry control network abnormal detector provided in an embodiment of the present invention, such as Fig. 5
It is shown, the industry control network abnormal detector of the present embodiment, comprising: generation module 51 and analysis module 52;Wherein:
The generation module 51 automatically generates in a certain period of time for being based on unsupervised formula baseline learning method
Security baseline, and abnormal data frame or sequence of data frames are alerted;
The analysis module 52, when for generating security baseline within the new time cycle, to going through in preset time period
The variation tendency of history security baseline sequence is analyzed, and potential security threat is predicted and accused according to trend analysis result
It is alert.
Specifically, the generation module 51 is based on unsupervised formula baseline learning method, automatically generates in a certain period of time
Security baseline, and abnormal data frame or sequence of data frames are alerted;The analysis module 52 is within the new time cycle
When generating security baseline, the variation tendency of the history security baseline sequence in preset time period is analyzed, according to trend point
Analysis result is predicted and is alerted to potential security threat.
Industry control network abnormal detector provided in an embodiment of the present invention, realizes the abnormality detection to industry control network, nothing
It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition
Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from
The potential threat of normal value, the present embodiment reduce the operation complexity for generating industry control security baseline, improve security baseline
Stability.
Further, on the basis of the above embodiments, the generation module 51, can be specifically used for:
The industry control flow in a certain period of time is persistently captured, and the data frame in the industry control flow captured is assisted
View identification;
Judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carries out abnormality alarming;
If unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, parsing
The value of the data frame type of valid data frame and point out, and cluster point is carried out to the value of the data frame type and point respectively
Analysis;
If the value of the data frame type and point is more than or equal to default initial threshold, abnormality alarming is carried out;
If the value of the data frame type and point is less than default initial threshold, cluster state is updated, and to legal number
Series Modeling is carried out according to frame and weight is arranged to each sequence of data frames, if there is sequence of data frames to violate sequence pattern, into
Row alarm, if sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode;
By a certain period of time, the security baseline in period this period is automatically obtained, the security baseline includes: number
According to the cluster baseline Bv and sequence of data frames mode baseline Bs with weight of frame type and point place value.
It is understood that the default initial threshold can be configured according to the actual situation, the present embodiment not to its into
Row limitation.
It is understood that the expression way of the present embodiment series model can be used but be not limited to finite state machine
(FSM), the method for detecting unusual sequences can be used but be not limited to probability analysis, model inspection technology (Model
Checker) etc..In industry control abnormality detection field, the expression way of any sequence pattern and the side based on sequence variation detection
Method is all in the protection scope of the present embodiment described device.
It is understood that the unsupervised formula baseline learning method in the present embodiment includes the content of three aspects: Abnormal Packet
Detection, data frame cluster (type identification and the analysis of point place value), sequence of data frames model.The present embodiment the method is not limited to
Concrete implementation algorithm, any method for reaching this three aspects effect is all in the present embodiment described device protection scope.This reality
The unsupervised formula baseline learning method of example is applied compared with traditional industry control security baseline generation method, advantage is not needing " to start
Study " " completing study " " manual debugging " three phases, but security baseline at the appointed time is automatically generated in the period, it reduces
The operation complexity of implementation.
It is understood that this periodicity had both been embodied in a place value since industry control network has very strong periodicity
In variation, it is also embodied in the variation of sequence of data frames.Therefore, the mode based on sequence analysis is modeled, and industry computer is portrayed
The cyclophysis of network can obtain preferable effect.
It is understood that when finding Network Abnormal in current time period, such as Abnormal Packet, to deviate considerably from point poly-
When the very small sequence of data frames of the data frame of class centre distance, weight, the present embodiment directly carries out abnormality alarming.
Further, on the basis of the above embodiments, the analysis module 52, can be specifically used for:
Period at regular intervals files the security baseline of acquisition;
Using the baseline results of filing of the upper time cycle as the baseline starting point of current time period;
For the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to data frame sequence
The weight variation tendency of column is analyzed;
If data frame type and any one in the variation tendency of point place value and the weight variation tendency of sequence of data frames
Lasting variation occurs, it is determined that industry control network is stable in a short time, but shakiness is constantly in Long time scale
Determine state, is alerted for unstable state of the industry control network in Long time scale.
Further, the analysis module 52, it may also be used for:
It is being directed to the baseline starting point, trend analysis is being carried out to data frame type and point place value respectively, and to data frame
After the weight variation tendency of sequence is analyzed, if the variation tendency and sequence of data frames of data frame type and point place value
Weight variation tendency tends towards stability, it is determined that the state of current industry control network is stable.
It is understood that the analysis of historical baseline sequence is monitored shape for finding in the present embodiment in Long time scale
State slowly there is a situation where needle position misalignment, baseline compare can using any higher dimensional space distance analysis or association mining,
The data mining algorithms such as sequence analysis, classification, cluster.
It is understood that filing security baseline sequence provide data basis for its trend analysis, by analyze compared with
The security baseline generated in for a long time, judges the variation tendency of security baseline: in stable state, or persistently occurring slow
It changes.This mechanism based on the analysis of history security baseline sequence is it can be found that more hidden potential security threat.
Stable baseline trend can refer to Fig. 2, and unstable baseline trend can refer to Fig. 3.Unstable baseline trend becomes
Although change the short time in be not easy to find, the present embodiment by analyzing the baseline sequence trend in Long time scale,
This hidden variation tendency is can be found that, so as to which security threat is predicted and alerted as soon as possible.
It should be strongly noted that during debugging industrial control equipment, the state of industry control network itself be it is unstable, therefore
The present embodiment described device can generate a large amount of wrong report during debugging.More seriously, tune-up data enters the present embodiment
After described device, the security baseline model generated based on the present embodiment described device will affect.Therefore, in the debugging industrial control equipment phase
Between, it needs to stop using the present embodiment described device.
The typical case scene of the present embodiment described device can refer to Fig. 4, and the present embodiment described device can be applied in Fig. 4
Monitoring device, the Continued communication flow of upper computer and lower computer imported into monitoring device by mirror port in industry control network, when
When being abnormal there are malicious attacker or point because of other reasons, the present embodiment described device can carry out abnormality alarming in time.
Industry control network abnormal detector provided in an embodiment of the present invention, realizes the abnormality detection to industry control network, nothing
It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition
Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from
The potential threat of normal value, the present embodiment reduce the operation complexity for generating industry control security baseline, improve security baseline
Stability.The present embodiment described device is not limited to industry control network, and the strong network of any periodicity can apply the present embodiment
Described device.
The implementation process of industry control network method for detecting abnormality provided in an embodiment of the present invention is more simple: not needing " to start
Study " " completing study " " manually adjusting " three phases, can carry out unsupervised automatic baseline building process, and in safety
It is carried out abnormality detection in baseline building process;Therefore, there is no white list learning process, the simpler convenience of implementation process.This hair
Periodicity of the industry control network method for detecting abnormality that bright embodiment provides from higher level monitoring network: the present embodiment the method
On the basis of its intelligent algorithm, trend analysis further is carried out to baseline sequence, so as to effectively find baseline in short cycle
Indetectable threat hidden danger.In other words, when the generation of the state of industry control network insignificantly " migrates ", through this embodiment
The baseline trend analysis of the method can relatively easily be found.Industry control network abnormality detection side provided in an embodiment of the present invention
Method is perspective ground prediction technique, it can be found that the minor anomaly in industry control network, so as to take defensive measure in advance, and
It is not the alarm after being fallen.The monitoring object of industry control network method for detecting abnormality provided in an embodiment of the present invention is more straight
Connect: directly monitoring industry control network data frame content and sequence of data frames, rather than by data frame it is reflected other
Attribute (such as network speed, bandwidth and corresponding time cycle etc.), therefore, it is easier to find the essential reason of Network Abnormal.This
The base-line data type and format that embodiment the method generates are not limited to Modbus and S7COMM, any to meet the present embodiment
The security baseline format of the method thought, all in the present embodiment the method protection scope.
Industry control network abnormal detector provided in an embodiment of the present invention, can be used for executing the skill of preceding method embodiment
Art scheme, it is similar that the realization principle and technical effect are similar, and details are not described herein again.
Fig. 6 shows the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention, as shown in fig. 6, should
Electronic equipment may include memory 602, processor 601 and be stored on memory 602 and can run on processor 601
The step of computer program, the processor 601 realizes the above method when executing described program, for example, based on unsupervised
Formula baseline learning method, automatically generates the security baseline in a certain period of time, and to abnormal data frame or sequence of data frames into
Row alarm;When generating security baseline within the new time cycle, the variation to the history security baseline sequence in preset time period
Trend is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, should
The step of above method is realized when computer program is executed by processor, for example, it is based on unsupervised formula baseline learning method,
The security baseline in a certain period of time is automatically generated, and abnormal data frame or sequence of data frames are alerted;When new
Between when generating security baseline in the period, the variation tendency of the history security baseline sequence in preset time period is analyzed, root
Potential security threat is predicted and alerted according to trend analysis result.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of industry control network method for detecting abnormality characterized by comprising
Based on unsupervised formula baseline learning method, the security baseline in a certain period of time is automatically generated, and to abnormal data frame
Or sequence of data frames is alerted;
When generating security baseline within the new time cycle, to the variation tendency of the history security baseline sequence in preset time period
It is analyzed, potential security threat is predicted and alerted according to trend analysis result.
2. the method according to claim 1, wherein described be based on unsupervised formula baseline learning method, automatic life
It is alerted at the security baseline in a certain period of time, and to abnormal data frame or sequence of data frames, comprising:
The industry control flow in a certain period of time is persistently captured, and agreement knowledge is carried out to the data frame in the industry control flow captured
Not;
Judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carries out abnormality alarming;
If unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, parses conjunction
The data frame type of method data frame and the value of point, and clustering is carried out to the value of the data frame type and point respectively;
If the value of the data frame type and point is more than or equal to default initial threshold, abnormality alarming is carried out;
If the value of the data frame type and point is less than default initial threshold, cluster state is updated, and to legal data frame
It carries out Series Modeling and each sequence of data frames setting weight is accused if there is sequence of data frames to violate sequence pattern
It is alert, if sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode;
By a certain period of time, the security baseline in period this period is automatically obtained, the security baseline includes: data frame
Type and the cluster baseline Bv and sequence of data frames mode baseline Bs with weight for putting place value.
3. the method according to claim 1, wherein it is described within the new time cycle generate security baseline when,
The variation tendency of history security baseline sequence in preset time period is analyzed, according to trend analysis result to potential safety
Threat is predicted and is alerted, comprising:
Period at regular intervals files the security baseline of acquisition;
Using the baseline results of filing of the upper time cycle as the baseline starting point of current time period;
For the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to sequence of data frames
Weight variation tendency is analyzed;
If any one generation in the weight variation tendency of the variation tendency and sequence of data frames of data frame type and point place value
Lasting variation, it is determined that industry control network is stable in a short time, but unstable shape is constantly in Long time scale
State is alerted for unstable state of the industry control network in Long time scale.
4. according to the method described in claim 3, it is characterized in that, being directed to the baseline starting point, respectively to data frame type
A trend analysis is carried out with place value, and after analyzing the weight variation tendency of sequence of data frames, the method is also wrapped
It includes:
If data frame type tends towards stability with the variation tendency of point place value and the weight variation tendency of sequence of data frames, really
The state of settled preceding industry control network is stable.
5. a kind of industry control network abnormal detector characterized by comprising
Generation module, for automatically generating the security baseline in a certain period of time based on unsupervised formula baseline learning method, and
Abnormal data frame or sequence of data frames are alerted;
Analysis module, when for generating security baseline within the new time cycle, to the history security baseline in preset time period
The variation tendency of sequence is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
6. device according to claim 5, which is characterized in that the generation module is specifically used for one timing of persistently capture
Between industry control flow in the period, and protocol identification is carried out to the data frame in the industry control flow captured;
Judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carries out abnormality alarming;
If unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, parses conjunction
The data frame type of method data frame and the value of point, and clustering is carried out to the value of the data frame type and point respectively;
If the value of the data frame type and point is more than or equal to default initial threshold, abnormality alarming is carried out;
If the value of the data frame type and point is less than default initial threshold, cluster state is updated, and to legal data frame
It carries out Series Modeling and each sequence of data frames setting weight is accused if there is sequence of data frames to violate sequence pattern
It is alert, if sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode;
By a certain period of time, the security baseline in period this period is automatically obtained, the security baseline includes: data frame
Type and the cluster baseline Bv and sequence of data frames mode baseline Bs with weight for putting place value.
7. device according to claim 5, which is characterized in that the analysis module is specifically used for all at regular intervals
Phase files the security baseline of acquisition;
Using the baseline results of filing of the upper time cycle as the baseline starting point of current time period;
For the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to sequence of data frames
Weight variation tendency is analyzed;
If any one generation in the weight variation tendency of the variation tendency and sequence of data frames of data frame type and point place value
Lasting variation, it is determined that industry control network is stable in a short time, but unstable shape is constantly in Long time scale
State is alerted for unstable state of the industry control network in Long time scale.
8. device according to claim 7, which is characterized in that the analysis module is also used to
It is being directed to the baseline starting point, trend analysis is being carried out to data frame type and point place value respectively, and to sequence of data frames
Weight variation tendency analyzed after, if data frame type and point place value variation tendency and sequence of data frames weight
Variation tendency tends towards stability, it is determined that the state of current industry control network is stable.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor is realized when executing described program such as any one of Claims 1-4 the method
Step.
10. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer
It is realized when program is executed by processor such as the step of any one of Claims 1-4 the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811404708.8A CN109743187B (en) | 2018-11-23 | 2018-11-23 | Industrial control network anomaly detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811404708.8A CN109743187B (en) | 2018-11-23 | 2018-11-23 | Industrial control network anomaly detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109743187A true CN109743187A (en) | 2019-05-10 |
CN109743187B CN109743187B (en) | 2021-11-16 |
Family
ID=66358059
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811404708.8A Active CN109743187B (en) | 2018-11-23 | 2018-11-23 | Industrial control network anomaly detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109743187B (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365717A (en) * | 2019-08-27 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | Industrial intrusion detection method and system based on HART-IP agreement |
CN110442837A (en) * | 2019-07-29 | 2019-11-12 | 北京威努特技术有限公司 | Generation method, device and its detection method of Complicated Periodic model, device |
CN110557389A (en) * | 2019-09-04 | 2019-12-10 | 北京启明星辰信息安全技术有限公司 | novel vulnerability safety assessment system |
CN111131290A (en) * | 2019-12-30 | 2020-05-08 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
CN111259948A (en) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | User safety behavior baseline analysis method based on fusion machine learning algorithm |
CN111447117A (en) * | 2020-03-25 | 2020-07-24 | 浙江大学 | Industrial control network switch gray level detection method based on big data |
CN111600863A (en) * | 2020-05-08 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Network intrusion detection method, device, system and storage medium |
CN112116078A (en) * | 2020-09-22 | 2020-12-22 | 工业互联网创新中心(上海)有限公司 | Information security baseline learning method based on artificial intelligence |
CN112152869A (en) * | 2019-06-28 | 2020-12-29 | 北京金山云网络技术有限公司 | Network detection method and device, electronic equipment and storage medium |
CN112152868A (en) * | 2019-06-28 | 2020-12-29 | 北京金山云网络技术有限公司 | Network fault detection method and device, electronic equipment and storage medium |
CN112202817A (en) * | 2020-11-30 | 2021-01-08 | 北京微智信业科技有限公司 | Attack behavior detection method based on multi-event association and machine learning |
CN113220526A (en) * | 2021-05-06 | 2021-08-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting family scale abnormality of botnet |
CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
CN113852603A (en) * | 2021-08-13 | 2021-12-28 | 京东科技信息技术有限公司 | Method and device for detecting abnormality of network traffic, electronic equipment and readable medium |
CN114448716A (en) * | 2022-02-28 | 2022-05-06 | 奇安信科技集团股份有限公司 | Industrial control safety control method, electronic device and storage medium |
CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
CN114615032A (en) * | 2022-02-28 | 2022-06-10 | 奇安信科技集团股份有限公司 | Behavior safety baseline fusion learning method and device, electronic equipment and storage medium |
CN114615039A (en) * | 2022-03-03 | 2022-06-10 | 奇安信科技集团股份有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
CN118337539A (en) * | 2024-06-17 | 2024-07-12 | 嘉兴贯文数字技术有限公司 | Internet of things-based network security communication control method and system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103692786A (en) * | 2013-12-17 | 2014-04-02 | 重庆川仪自动化股份有限公司 | Curve printing control method and device applied to paper recording instrument |
CN104699807A (en) * | 2015-03-23 | 2015-06-10 | 上海新炬网络信息技术有限公司 | Automatic monitoring and expansion method for ORACLE data table space |
CN107204975A (en) * | 2017-05-11 | 2017-09-26 | 四川大学 | A kind of industrial control system network attack detection technology based on scene fingerprint |
WO2017201520A1 (en) * | 2016-05-20 | 2017-11-23 | Georgia Tech Research Corporation | Systems and methods for detecting anomalous software on a programmable logic controller |
CN107733905A (en) * | 2017-10-24 | 2018-02-23 | 北京威努特技术有限公司 | A kind of detection method of industry control network unit exception flow |
CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
-
2018
- 2018-11-23 CN CN201811404708.8A patent/CN109743187B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103692786A (en) * | 2013-12-17 | 2014-04-02 | 重庆川仪自动化股份有限公司 | Curve printing control method and device applied to paper recording instrument |
CN104699807A (en) * | 2015-03-23 | 2015-06-10 | 上海新炬网络信息技术有限公司 | Automatic monitoring and expansion method for ORACLE data table space |
WO2017201520A1 (en) * | 2016-05-20 | 2017-11-23 | Georgia Tech Research Corporation | Systems and methods for detecting anomalous software on a programmable logic controller |
CN107204975A (en) * | 2017-05-11 | 2017-09-26 | 四川大学 | A kind of industrial control system network attack detection technology based on scene fingerprint |
CN107733905A (en) * | 2017-10-24 | 2018-02-23 | 北京威努特技术有限公司 | A kind of detection method of industry control network unit exception flow |
CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112152869A (en) * | 2019-06-28 | 2020-12-29 | 北京金山云网络技术有限公司 | Network detection method and device, electronic equipment and storage medium |
CN112152868A (en) * | 2019-06-28 | 2020-12-29 | 北京金山云网络技术有限公司 | Network fault detection method and device, electronic equipment and storage medium |
CN112152868B (en) * | 2019-06-28 | 2022-05-06 | 北京金山云网络技术有限公司 | Network fault detection method and device, electronic equipment and storage medium |
CN112152869B (en) * | 2019-06-28 | 2022-05-06 | 北京金山云网络技术有限公司 | Network detection method and device, electronic equipment and storage medium |
CN110442837A (en) * | 2019-07-29 | 2019-11-12 | 北京威努特技术有限公司 | Generation method, device and its detection method of Complicated Periodic model, device |
CN110442837B (en) * | 2019-07-29 | 2023-04-07 | 北京威努特技术有限公司 | Generation method and device of complex periodic model and detection method and device thereof |
CN110365717A (en) * | 2019-08-27 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | Industrial intrusion detection method and system based on HART-IP agreement |
CN110557389A (en) * | 2019-09-04 | 2019-12-10 | 北京启明星辰信息安全技术有限公司 | novel vulnerability safety assessment system |
CN111131290A (en) * | 2019-12-30 | 2020-05-08 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
CN111259948A (en) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | User safety behavior baseline analysis method based on fusion machine learning algorithm |
CN111447117B (en) * | 2020-03-25 | 2022-02-25 | 浙江大学 | Industrial control network switch gray level detection method based on big data |
CN111447117A (en) * | 2020-03-25 | 2020-07-24 | 浙江大学 | Industrial control network switch gray level detection method based on big data |
CN111600863A (en) * | 2020-05-08 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Network intrusion detection method, device, system and storage medium |
CN112116078A (en) * | 2020-09-22 | 2020-12-22 | 工业互联网创新中心(上海)有限公司 | Information security baseline learning method based on artificial intelligence |
CN112202817B (en) * | 2020-11-30 | 2021-04-06 | 北京微智信业科技有限公司 | Attack behavior detection method based on multi-event association and machine learning |
CN112202817A (en) * | 2020-11-30 | 2021-01-08 | 北京微智信业科技有限公司 | Attack behavior detection method based on multi-event association and machine learning |
CN113220526A (en) * | 2021-05-06 | 2021-08-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting family scale abnormality of botnet |
CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
CN113852603A (en) * | 2021-08-13 | 2021-12-28 | 京东科技信息技术有限公司 | Method and device for detecting abnormality of network traffic, electronic equipment and readable medium |
CN113852603B (en) * | 2021-08-13 | 2023-11-07 | 京东科技信息技术有限公司 | Abnormality detection method and device for network traffic, electronic equipment and readable medium |
CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
CN114448716A (en) * | 2022-02-28 | 2022-05-06 | 奇安信科技集团股份有限公司 | Industrial control safety control method, electronic device and storage medium |
CN114615032A (en) * | 2022-02-28 | 2022-06-10 | 奇安信科技集团股份有限公司 | Behavior safety baseline fusion learning method and device, electronic equipment and storage medium |
CN114615039A (en) * | 2022-03-03 | 2022-06-10 | 奇安信科技集团股份有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
CN118337539A (en) * | 2024-06-17 | 2024-07-12 | 嘉兴贯文数字技术有限公司 | Internet of things-based network security communication control method and system |
Also Published As
Publication number | Publication date |
---|---|
CN109743187B (en) | 2021-11-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109743187A (en) | Industry control network method for detecting abnormality and device | |
Krotofil et al. | The process matters: Ensuring data veracity in cyber-physical systems | |
Caselli et al. | Sequence-aware intrusion detection in industrial control systems | |
CN110535702B (en) | Alarm information processing method and device | |
Bhatia et al. | Unsupervised machine learning for network-centric anomaly detection in IoT | |
Hadžiosmanović et al. | Through the eye of the PLC: semantic security monitoring for industrial processes | |
CN106506556B (en) | A kind of network flow abnormal detecting method and device | |
CN108665297B (en) | Method and device for detecting abnormal access behavior, electronic equipment and storage medium | |
WO2016082284A1 (en) | Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model | |
CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
CN104899513B (en) | A kind of datagram detection method of industrial control system malicious data attack | |
CN111371651A (en) | Industrial communication protocol reverse analysis method | |
US9794278B1 (en) | Network-based whitelisting approach for critical systems | |
CN112688946B (en) | Method, module, storage medium, device and system for constructing abnormality detection features | |
CN111586071B (en) | Encryption attack detection method and device based on recurrent neural network model | |
CN112492059A (en) | DGA domain name detection model training method, DGA domain name detection device and storage medium | |
CN110912927A (en) | Method and device for detecting control message in industrial control system | |
Hadziosmanovic et al. | Through the eye of the PLC: towards semantic security monitoring for industrial control systems | |
CN105871861B (en) | A kind of intrusion detection method of self study protocol rule | |
CN112966264A (en) | XSS attack detection method, device, equipment and machine-readable storage medium | |
CN109344610A (en) | The detection method and device of sequence attack | |
CN112291239A (en) | Network physical model facing SCADA system and intrusion detection method thereof | |
KR101383069B1 (en) | Apparatus and method for detecting anomalous state of network | |
WO2023181241A1 (en) | Monitoring server device, system, method, and program | |
US11188064B1 (en) | Process flow abnormality detection system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |